Hello, We have virtual Fortigates (Active-Standby HA) installed in ESXi environment. We would like to deploy Virtual Server for Load balancing our DNS.
IP address of DNS-1 - 10.0.0.1
IP address of DNS-2 - 10.0.1.1
Virtual IP will be IP of loopback - 10.0.2.1
How do I need to provide access from policy side?
Do I need to "enable" Virtual server (Apply some policy) how it done when you configure IPsec\Remote access vpn?
Do I need to provide any accesses from or to Virtual IP?
Do I need to allow access from different interfaces to Virtual IP for dns request?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
For clarification, are you saying that the DNS servers will create an IPsec tunnel to the FortiGate and you want to load balance across the two IPsec tunnels? If so, will they be dial-up tunnels with FortiClient or will they be behind 2 additional firewalls?
Hello @MethodNet thanks for your reply,
No between fortigate and dns server is another router, I just didn't draw it :)
That makes it easier. I was trying to figure out how to do load balancing with dynamic IPs, that was a brain teaser. I would say that there are 2 ways to do this. First, you can use your FortiGate as the DNS server and forward requests to both DNS servers. Set up the DNS servers as your system DNS servers. That is by far the easiest way to go. and no policies are needed.
Second, you can configure a load balanced IP, not a virtual IP, and have traffic balanced between the two DNS servers. If you haven't enabled this feature, you will need to enable it so you can see it in the GUI. This will test the connection to the DNS servers and only send requests to the available DNS server(s). Doing it this way will require policies from every source interface. The best way to deal with 2 destination IPsec tunnels would be to put them in a zone so you would have a policy similar to the following:
Src Int: lan
Dst Int: DNS_Zone
Src Address: lan_Net
Dst Address: DNS_Loadbalanced_IP
Service: DNS
I would like to do something like:
Configure Virtual Server on fortigate which will do Balancing and HA (for DNS)
On client PC I will enter IP address of Virtual Server (10.0.2.1). And when fortigate receive dns request from this pc it redirect this request to DNS-1 or DNS-2 (based on algorithm). If DNS-1 go down, Fortigate will redirect all dns requests to DNS-2.
We did some tests and it works, but not sure how do I need to apply policy correctly.
Created on 11-24-2023 06:32 AM Edited on 11-24-2023 06:34 AM
You would use the policy template in option 2. Let's say you have the default lan or internal interface on your firewall and 2 VPN tunnels to the 2 remote locations. You will need to create a zone and include both VPN tunnels in that zone. Then you will need to create a policy from your lan/internal network to the VPN zone and use the load balanced object as the destination and DNS as the service.
You probably have more than one network on behind your FortiGate, so you will need to set up a policy like this for every source interface or zone you have to the VPN zone and use the load balanced object as the destination.
I've done something very similar using remote desktop hosts and this worked for that, so I would assume that DNS would work as well.
Thanks @MethodNet
Understood that every needed interfaces I need to select as source interface and in destination I need to use Object, but which should be destination interface?
I created loopback-1 and assigned IP 10.0.2.1 (Which is Load Balancer IP).
Do I need to select destination interface loopback-1 or I don't even need interface?
Your destination interface will be a zone that includes both of your VPN interfaces. That is the critical part to make this work.
Just Assuming.
If DNS-1 is placed after IPsec interface and DNS-2 is after LAN Interface-1 policy will bi like:
source all needed Interfaces and Source IP addresses and in destination should be Load Balancer Object, and IPsec and Lan Interface-1 as destination interface correct?
If you want to have policies with multiple interfaces, you can try it like that. It is typically better to have single interfaces in each policy which is why you need a zone. If you prefer the multiple interface option, you can try it. I'm just not sure how well that will work out. I can try to build it in my lab later today or this weekend to see if that will work. You can put Lan and the VPN in the same zone as well.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.